How to avoid getting locked out of your own account with multi-factor authentication
Multi-factor authentication (MFA) is one of the most popular authentication security solutions available to organizations today. It really comes as no surprise, as the multi-factor authentication benefits of enhanced security go beyond the basic password security measures by forcing the user to authenticate with another method that (presumably) only the legitimate user has access to.
While multi-factor authentication benefits are substantial, there is a new risk that has emerged: getting locked out of your own account. This article will detail how to avoid getting locked out of your account with multi-factor authentication and will explore the benefits of multi-factor authentication as well as the risk that not using multi-factor authentication presents.
See Infosec IQ in action
What is multi-factor authentication?
Multi-factor authentication is an advanced authentication method that goes beyond the traditional password to offer better security for authenticating devices, applications and web-based sessions. Also known as two-factor authentication (2FA), MFA refers to five categories of authentication factors:
- Knowledge: Something that the user knows (username, password and PIN)
- Possession: Such as a safety token
- Heritage: Refers to retina verification, fingerprint or voice recognition
- Place: User’s physical position
- Time: Time-sensitive window of opportunity for authentication
Benefits of Multi-Factor Authentication (MFA)
Multi-factor authentication solutions are becoming an integral part of the organizational security profile. Below are some of the reasons why organizations are turning to MFA.
Multi-Factor Authentication provides stronger security
Central to MFA is the fact that each authentication factor compensates for the weaknesses of the other factors. For example, a less than strong password can be compensated for with a physical MFA USB key. Having the extra layer (or more) of authentication factors means stronger security over the traditional single-factor authentication process.
Multi-factor Authentication fulfills compliance needs
Compliance standards are a necessary part of many industries and many legal and regulatory standards, such as in the financial industry, require that MFA be implemented within an organization. Other regulatory standards, such as HIPAA in healthcare, require that a strong authentication process is implemented, leaving the choice of what to implement up to the organization. MFA meets the regulatory compliance standards of multiple industries, which is another reason why organizations are adopting multi-factor authentication solutions.
Multi-factor Authentication offers simplification
Using multiple authentication methods to authenticate a user may seem like it would complicate an organization’s user authentication processes; in reality, it produces simplification. With single sign-on, once the user is authenticated, they are given access to all of the organization’s covered apps. For example, if a user normally accesses five organization apps, one authentication can replace five separate authentications.
Risk associated with Multi-Factor Authentication
Despite the benefits of MFA, there is also an inherent risk associated with it. I am referring to this as the “use it or lose it” rule. This refers to the risk that if MFA is not enabled and an attacker gains access to an account and enables it, the attacker sets the authentication factors. Therefore, the attacker has the power over authentication which would lock the user out of their own account. Use it or lose it indeed.
Attackers know that while MFA is becoming more available and used, there still are organizations that have not enabled it and may never. This is because many organizations fear they will drive away good employees by increasing security. Never being shy to take advantage, attackers use MFA like any other tool in its arsenal.
Phishing simulations & training
How to avoid being locked out of your account
Being locked out of your account is a risk that may be a clear and present danger for your organization. (Yes, I am talking especially to the organizations that fear more security implementations will cull their workforce.) By following the recommendations below, you can avoid the MFA pitfall of being locked out yourself.
Enable Multi-Factor Authentication
Enabling MFA is the easiest way to avoid being locked out of your account by an attacker that has enabled it before you do. While organizations have their own reasons for not enabling MFA (such as fear of driving off users), the fact is that MFA is becoming more commonly used and chances are most users have used MFA at some point by now. Therefore, the fear of implementing MFA should be tempered by demonstrating how easy it is to use (especially with single sign-on) and that the increased security that MFA offers may help prevent attacks that will lock users out in the first place.
Enrolling additional factors
After MFA is enabled, users can still be locked out of their account. This can occur when the user forgets their MFA authentication factors (such as their PIN or password), loses their device with that factor stored within or their secondary device that generates a recovery code (such as their smartphone for SMS-based authentication).
Enrolling additional factors, such as a secondary phone number for SMS, voice recognition or a safety token, can give an extra authentication method to the user as well as an extra layer of security overall.
Multi-Factor Authentication: not a panacea
MFA definitely improves security, but it is not a perfect panacea, as it only applies to authentication. Attackers have other methods of compromise such as phishing, token stealing and stolen biometric data. MFA should be only one part of an overall robust security strategy for an organization.
Conclusion
Multi-factor authentication is a security measure for authentication that offers substantial security advantages over the traditional 1FA authentication scheme. It allows for one or more extra layers of authentication factors that, if not enabled, can be used against the user by an attacker who turns it on after gaining a foothold on a compromised system. To avoid this, enable MFA with as many authentication factors as possible and use MFA as part of a comprehensive, robust organizational security strategy.
Sources
Multi-Factor Authentication (MFA): What is it and Why Do You Need it?, LoginRadius Identity Blog
Benefits of Multi Factor Authentication, GlobalSign Blog
90% of Gmail users could improve their security easily, but don’t, Sophos Naked Security Blog
In this Series
- How to avoid getting locked out of your own account with multi-factor authentication
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness